hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

headscale

Browse source
This commit is contained in:
Henri Dohmen 2025-05-14 23:43:38 +02:00
parent 26b5a32ab1
commit 3daa817aad
6 changed files with 120 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -59,6 +59,7 @@
imports = [ imports = [
./host/roam ./host/roam
mod.shared.all mod.shared.all
mod.server.all
]; ];
}; };
}; };

77
mod/network.nix
View file

@ -1,51 +1,52 @@
{ ... }: { ... }:
{ {
networking.networkmanager.enable = true;
networking.networkmanager.wifi.macAddress = "random";
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
services.blueman.enable = true; services.blueman.enable = true;
systemd.services.NetworkManager-wait-online.enable = false;
services.tailscale = { services.tailscale = {
enable = true; enable = true;
useRoutingFeatures = "client"; useRoutingFeatures = "client";
}; };
systemd.services.NetworkManager-wait-online.enable = false; networking = {
enableIPv6 = true;
networking.networkmanager.ensureProfiles.profiles = { networkmanager.enable = true;
"tuda-vpn" = { networkmanager.wifi.macAddress = "random";
connection = { networkmanager.ensureProfiles.profiles = {
autoconnect = "false"; "tuda-vpn" = {
id = "tuda-vpn"; connection = {
type = "vpn"; autoconnect = "false";
}; id = "tuda-vpn";
ipv4 = { type = "vpn";
method = "auto"; };
}; ipv4 = {
ipv6 = { method = "auto";
addr-gen-mode = "stable-privacy"; };
method = "auto"; ipv6 = {
}; addr-gen-mode = "stable-privacy";
vpn = { method = "auto";
authtype = "password"; };
autoconnect-flags = "0"; vpn = {
certsigs-flags = "0"; authtype = "password";
cookie-flags = "2"; autoconnect-flags = "0";
disable_udp = "no"; certsigs-flags = "0";
enable_csd_trojan = "no"; cookie-flags = "2";
gateway = "vpn.hrz.tu-darmstadt.de"; disable_udp = "no";
gateway-flags = "2"; enable_csd_trojan = "no";
gwcert-flags = "2"; gateway = "vpn.hrz.tu-darmstadt.de";
lasthost-flags = "0"; gateway-flags = "2";
pem_passphrase_fsid = "no"; gwcert-flags = "2";
prevent_invalid_cert = "no"; lasthost-flags = "0";
protocol = "anyconnect"; pem_passphrase_fsid = "no";
resolve-flags = "2"; prevent_invalid_cert = "no";
service-type = "org.freedesktop.NetworkManager.openconnect"; protocol = "anyconnect";
stoken_source = "disabled"; resolve-flags = "2";
xmlconfig-flags = "0"; service-type = "org.freedesktop.NetworkManager.openconnect";
password-flags = 0; stoken_source = "disabled";
xmlconfig-flags = "0";
password-flags = 0;
};
}; };
}; };
}; };

8
mod/server/all.nix Normal file
View file

@ -0,0 +1,8 @@
{ mod, ... }:
{
imports = with mod.server; [
services
networking
security
];
}

28
mod/server/networking.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
networking = {
enableIPv6 = true;
interfaces = {
"ens3".ipv6.addresses = [
{
address = "2a03:4000:3b:f99::";
prefixLength = 64;
}
];
};
defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
};
}

9
mod/server/security.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
security = {
acme = {
acceptTerms = true;
defaults.email = "acme@henri-dohmen.de";
};
};
}

35
mod/server/services.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let
headscale-domain = "headscale.hdohmen.de";
in
{
services = {
# TODO: maybe just use wireguard...
headscale = {
enable = true;
address = "127.0.0.1";
port = 8080;
settings = {
server_url = "https://${headscale-domain}";
prefixes.v4 = "100.10.11.0/24";
prefixes.v6 = "fd7a:115c:1011::/48";
dns = {
magic_dns = true;
base_domain = "net.hdohmen.de";
};
};
};
nginx = {
enable = true;
virtualHosts.${headscale-domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
};
}